KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So, let me go ahead and, you know, start right out and just talk about what we're gonna be covering here today. So, you know, when we talk about over the next 20 minutes, I'm gonna take you in, on an identity journey and we're gonna discuss what market trends global organizations are facing today. What business problems they're encountering, what legacy I, you know, why legacy, identity solutions are falling short, how artificial intelligence and machine learning can help them redefine their identity approach and, and a lot more.
So without further ado, let's go ahead and get started with our journey. So when we talk about, you know, the journey itself, you know, it's really, you know, we can't say more or enough about the risk of identity breaches on global organizations, and that can really, can't be overstated as can see in the slide, you know, cybercriminals continue attack organizations across the enterprise in various verticals themselves. The biggest market trend here is I, what I focus on is the 40 and 61% stat itself.
So where you have unauthorized access is the number one attack method used by summer criminals in 2020. And then you combine that with breaches that involve use credentials. It's no longer why, you know, 98% of identity breaches involved, some form of account abuse over the past year. And the takeaway here is, you know, user credentials are a continued and growing threat to enterprises worldwide. And that is why organizations need to redefine their approach, not to just identity itself, but also how they provide user access.
So we talk about, you know, the, the pressures that they're under, you know, we've gotta talk about the problems. So, you know, when we talk about this from a regulatory compliance, you know, let's face it, staying compliant requires a lot of time and effort to maintain, especially people change jobs, work on special projects or leave the organization.
So whether it's helping, you know, to comply with a global government regulation like GDPR or Sox or HIPAA compliance is a foundational cornerstone to reduce an organization's security risk, you know, a failed security audit or lack of access controls can lead to inappropriate access privileges and potential data breaches itself. The other thing, when you talk about operational efficiencies, you have IM solutions, you know, they're meant to automate access requests and certification reviews and user provision and deep provisioning. Unfortunately, the reality is quite different.
It, security teams are overwhelmed with access requests and certification reviews and user provision and deprovisioning tasks. As a result, they end up manually approving access requests or rubber stamping certifications, or bulk approving user account provisioning, and this type of fatigue based behavior results in an over provisioning of user access privileges across the entire enterprise. And as a result that can lead to unauthorized user access to systems, applications, and proprietary business information itself.
Now, when we talk about business enablement, you know, this is about, you know, governing user access to applications and systems across the entire enterprise is a very critical component to any security strategy. But oftentimes it also presents one of the greatest challenges, security professionals face as employees, contractors, temporary staff, joining a company change jobs, or eventually leave the company. Organizations must, can constantly manually update access policies to ensure users only have access to what they need while removing access they don't need.
And then finally, when we talk about securing risk management, you know, compromised identities caused by weak or stolen or default user credentials are probably the biggest growing threat to organizations today. And, you know, when you have identity solutions that are able, that enable business and it users to identify risky employee populations or policy violations and inappropriate access privileges, that's what they're meant to do.
Unfortunately, you know, some of these legacy identity solutions can only provide who has access to what visibility to a limited Nu to a limited number of authoritative sources. You know, one at a time. So we talk about this, you know, we talk about, you know, those problems, but let's also talk about, you know, why they're falling down or why they're falling short. And there's really four primary reasons here. First reason is identity silos. So many legacy IM solutions are only integrated with a few identity authoritative sources like active directory or your company's HR system.
So while on the surface, this doesn't seem like an issue at all, but in reality, it really is. And the reason is that that limited integration means you have limited user access visibility, but more importantly, a lack of consistent access visibility across your entire enterprise reason. Number two, again, operational inefficiency legacy IM solutions promise, full automation of access requests and certification and user provisioning, lifecycle management tasks. The reality is, again, securing risk teams are overwhelmed with all these requests, all these reviews and all these tasks.
They're so overwhelmed teams are typically manually approving, you know, access requests or the rubber stamping certifications, or they're doing bulk approvals of user account provisioning, which in turn results in the over provision of user access privileges across the entire organization. Reason number three, you have here is really no context. So legacy IM solutions are really good at providing visibility into a single authoritative source.
So, you know, what they're not very good at is providing context across multiple authorities, authoritative sources themselves, as a result, organizations are struggling to determine what users need access to what access they have and more importantly, why they need that access. So without that combination of visibility and context across the entire enterprise, your organization is blind to inappropriate user access privileges and potential unauthorized user access itself. Now reason number four, static data.
And what I mean by that is, you know, legacy IM solutions have provided tools like role modeling or role mining to help organizations achieve better operational efficiencies and compliance. So while role modeling has helped to better align users with the right access rights in themselves, this approach is only as good as the first date's implemented after that, your organization role model stale and out of date. And you're probably asking yourself, why is that? It's because your organization dynamically changes every hour of every day of every week of every year.
And because your access rights and roles and tournaments become outdated, your organization is more open to security, risk, and potential breaches themselves. So now that we understand, you know, what business challenges, you know, are facing enterprise organizations today, we're now gonna discuss how they can start to address them with something called identity fabrics. You talk about identity fabrics. You probably are asking yourself what's an identity fabric.
So as defined by cope Cole, the term identity fabric stands for a paradigm of a comprehensive set of identity services that delivers capabilities required for providing seamless and controlled access for everyone to every surface, to every service itself, they support various types of identities. You have employees, partners, consumers, and things. Identity fabrics is not a single technology or tool or cloud service, but a paradigm for, for architecting IM within the enterprise itself in commonly these services are provided by a set of tools or services themselves.
If you wanna learn more about identity fabrics, then I highly recommend you read the 20, 21 coverage of coal leadership compass on identity fabrics. So now that we know what it is, you know, now we need to understand why it's so important to organizations today. So with that, let me talk about, oops, let go one too fast here. One thing I want to talk about is why it's important identity fabrics is important to enterprise organizations because it provides an evolutionary evolutionary foundation to build a strong I am platform for delivering new features and services in the timely manner.
And I bring this up because for drag's, you know, identity fabric is our unified identity platform it's delivered as a service. So whether it's, you know, push button deployments to any cloud or it's your own data center, it supports any type of identity, identity type. So consumer workforce, citizens, partners, things we manage any and every identity type necessary. If you're a digital strategy, it supports any type of identity use case for access management, directory services, entitlement management, and governance. We don't solve one problem.
And then ask you to go off and figure out the rest we handle every identity challenge, your enterprise faces with an integrated platform that saves you both time and resources. And then last point I like to point out here is with our uni, with our identity platform, it supports any deployment options. So we offer that flexibility of choice, whether it's on premise, your cloud, our cloud, their cloud, or as a full, you know, as a service. The key takeaway here is that large complex organizations like yourselves choose Ford rock because we specialize in making sense of the ugly reality.
Most organizations face, you know, we can help you integrate and coexist with and modernize your legacy apps at your own pace while using the same identity platform to support your new applications and services themselves. So with that, you know, I've done kind of a high level. Let's kind of start talking about the new reality and how that impacts the I the identity fabric. So as I mentioned, four drugs identity fabric is our, is our unified identity platform. And that is an AI powered platform for all those services.
I mentioned earlier for access management, directory services, identity management governance, this, you know, new IM reality is that artificial intelligence, AI and machine learning, you know, ML techniques are really the new identity. Frontier, AI and ML are here to help improve existing IM solutions and processes.
They're not here to replace, you know, carbon-based life forms, you know, humans us they're here to help address existing IM shortcomings by helping to accelerate automation, to help securing risk teams work smarter, not harder with their daily identity related tasks, like access requests and certification reviews and user account provisioning and deprovisioning. The point here is that AI and ML are complimentary technologies to help you hyper automate your IM solutions and processes within your organization. Auto hyper automation is the future, and it's already here.
So case in point, the next few slides we're gonna discuss how forger is leveraging AI machine learning in one of its newest solutions called forger autonomous identity. So probably asking yourself what is forger autonomous identity? So at the highest level, autonomous identity is an AI driven identity analytic solution that allows organizations to achieve regulatory compliance, mitigate risk, while reducing cost at the same time by leveraging machine learning techniques, the solution collects and analyzes all identity data to identify security access and risk blind spots.
And by integrating with existing IGA solutions, for example, autonomous identity can provide your organization with wider and deeper insight into risks associated with user access. So now that you have a virtual idea or image of what Thomas I identity is prior to asking yourself, how does it work?
So at the very highest level, autonomous identity links users to entitlements at the lowest attribute level, it re it leverages user profile data to determine the likelihood a user will need an entitlement based on how entitlements are currently distributed across your enterprise or across your organization. And the solution does this in three simple ways. First it ingests all that user data, whether it's from identity management, identity governance, or HR LDAP database, whatever it may be, the data's consumed, it's aggregated across all the data sources.
We maintain a historical information, and then we provide a comprehensive user access landscape view of your entire organization. And then in step two, we apply AI machine learning to the aggregated identity data to first predict tolerance for a user. And then we explain its predictions in three ways, we provide a confidence score, justification and recommendation tolerance. And then in step three, with our intuitive UI, we allow security and it professionals that can review those predictions and take approval or certification actions immediately.
So from there, you know, it's, it's nice about how it works, but how's it work within my own, you know, enterprise. So, as I mentioned earlier, you know, autonomous identity works with all your existing identity investments to develop a complete view of your user access landscape. So your total landscape visibility provides highly accurate models of what good access should and shouldn't look like.
So unlike other, you know, or legacy IGA solutions themselves that are based upon roles and rules and peer group analysis, autonomous identity relies strictly on the data in your organization to develop an analysis, which is free from any bias that might come from human derived rules or roles in your existing, you know, that may exist in your existing identity solution itself. So wouldn't it be nice if you could take all your identity data and then, you know, leverage AI and machine learning that allows you to fully comprehend how and why risk conference scores are determined.
And then by visually presenting them with like low, medium high risk confidence scores together you're securing risk professional teams can actually understand what the key risk indicators, you know, were met and more importantly, why they were met. So this AI driven approach recommends, you know, risk based remediation recommendations based on enterprise wide confidence scores themselves.
So the nice thing is, you know, once you have those AI driven contextual insights, you know, and those have determined Tom's identity can automatically push those remediation recommendations, such as access predictions, access, provision, or deprovisioning, even role definitions directly back to your existing identity governance solution. This actionable intelligence approach enables security and risk professionals to take immediate action, accelerate decision making and improve operational efficiencies across your entire enterprise.
So you're probably asking yourself, well, that sounds great, but you know, what, what, how do you actually drive, you know, what drives that access or that AC you know, that computational access within autonomous identity? So, like I mentioned before, autonomous identity starts at that global level and drills down into user access rights to see the lowest level of common characteristics of user who shares the type of access. And we call that the dynamic access principle and the higher, the frequency of occurrence of a dynamic access principle, the stronger that principle is.
So to see if the principle stands, what autonomous identity does, is it analyzes to see if the patent exists outside the original group, across the rest of the organization. If the patent turns up somewhere than the principles weaken, if it does not exist outside the original data set, that's analyzed, then that dynamic principle access principle is strengthened and concern and, and confirmed. So at the high level, this is how we determine confidence scores themselves.
And these threads of commonality can be derived from many different characteristics, such as peer groups, your department, your salary band, years of experience, or any particular certification. So on as you see here listed.
So what does that mean when it comes to, you know, contextual insights and transparency by grouping the confidence scores, you know, by these different color blocks, whether it's, you know, green, yellow, red, this gives you the ability to visualize where you should be spending your time, what new policies you should be creating, which new access requests you should be automating, which entitlements truly need to be certified on an ongoing basis on an ongoing basis. And more importantly, which ones you don't, because you've got high confidence. You probably don't need to look at those.
You probably need to look at the ones that are in yellow and red in this case, blue and orange themselves. So it's a nice way to, to get that contextual insights and get that transparency really quickly within autonomous identity. So you're probably asking yourself, well, what, what type of outcomes do I get with this? So in the interest of time, I'm not gonna go through all of these, but I will go through one use case and, and quickly discuss how confidence is that foundation for better, higher fidelity roles itself.
And in the role optimization use case autonomous identity, you know, uses machine learning to discover rules, right? Rules are com have three core components, user features, or user attributes, entitlements, and confidence score. So what autonomous identity does that? It builds roles based on discovered rules. That role model has two inputs. It's got confidence, score thresholds and the minimum number of identities per role. So the role model looks at roles based on that commonality in rules, across the organization and common entitlements in common user features themselves.
The point here is that autonomous identity leverages those rules and confidence scores to create fewer higher quality roles to help you optimize your role model. In this case, you'd be focused on the, the high confidence of the green boxes, where your role modeling and your target, right? It's a target that allows your organization to increase role-based access controls of what we call R back, via least privileged model. And also at the same time, it allows you to lower your role management overhead over time, because you're optimizing your role model that you have in place today.
Now, that sounds all great, but you know, let's talk about a reality here and how someone, one of our customers, a multinational financial services company, how they were able to leverage four drugs, autonomous identity, AI machine learning capabilities to achieve real world business outcomes. Now on the business front, give you a little background. This organization has a legacy Oracle solution in place. And even with this solution in place, since 2014, they still had three primary business challenges ahead of them.
Number one, they had a role explosion, basically too many roles in the organization. Number two, duplicate roles. They had no idea how many duplicate roles they had. And then number three, they had high IGA related costs associated with asset in certifications. So back in December of 2020, the initial autonomous identity implementation covered a small business unit of 2,700 employees and seven internal applications. In the phase one implementation the organization realized three primary business value outcomes directly tied to autonomous identity.
Those three outcomes were number one time savings, a 60% reduction in request revocations and certifications. Number two was security improvements. They went from they at the end of three months, they went from a 1.8% outlier revocation rate to 34%. That is a 20 X improvement in less than 90 days. And then number three, user experience, huge, huge, huge issue here. They now have 80% less clicks during the access and certification review process.
So the key takeaway here is, like I mentioned earlier, AI machine learning are here to help improve existing IM solutions and processes, the complimentary technologies to help you hyper automate your IM solutions and processes within your organization. So with that, let me just have a few parting words here from a summary organizations who are providing, you know, access based on limited static data are really exposing their businesses to unnecessary risks. They need to evolve their current thinking and approach. They need to work harder, not smarter.
The point here is they're trying to address the most pressing questions facing the organization today. And those three questions are, how do I develop a model that solves my access problem. Number two, how do I do that cost effectively? And number three, how do I solve my access problem? And I dynamic enterprise, and you do this by redefining your identity approach.
You achieve this with an AI and machine learning based solution, like autonomous identity, you know, a solution that provides actual insights and realtime access reality, a reality that provides your organization, the ability to achieve regulatory compliance, mitigate risk, while reducing costs and what that, if there's any time remaining, I'll take some questions.
